Job Search

Smartphones at risk of malicious code injection through HTML5-based apps

1/04/2014 by

Only a fraction of mobile apps are currently written in HTML5 – but if 50 percent of applications are written in the markup language by 2016, as experts predict, then a whole lot of smartphones could soon be at risk of a new Cross-Device Scripting (XDS) attack that researchers have been investigating.

Attackers can inject the malicious code through a number of different commonly used channels, including Wi-Fi scanning, SMS messaging, scanning of 2D barcodes, Bluetooth pairing, and even through the playing of MP3 audio or MP4 videos, Du told SCMagazine.com on Monday.

So, if a compromised 2D barcode was scanned using an HTML5-based app, then that app would be compromised. However, playing a compromised MP3 file in an app running in the device’s native programming language – Android-based devices use JavaScript and iOS devices use Objective-C – would result in no compromise.

The injection via Wi-Fi scanning is particularly interesting because it does not require a user to connect to the attacker’s network, just to locate it using a vulnerable HTML5-based app, Du said, explaining an attacker can circumvent the 32 byte length limitation and inject more effective malicious code by using multiple Wi-Fi access points.

Montash is a multi-award winning, global IT recruitment firm. Specialising in permanent and contract positions across mid-senior appointments which cover a wide range of industry sectors and IT functions, including:

With offices based in London, Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid-management in permanent and contract roles.